Professional Documents
Culture Documents
Ffiec Itbooklet E-Banking
Ffiec Itbooklet E-Banking
FFIEC
E-Banking EB
AUGUST 2003
IT EXAMINATION
HANDBOOK
E-Banking Booklet
Table of Contents
Introduction 1
Definition of E-Banking 1
Informational Websites 1
Transactional Websites 2
E-Banking Components 3
Weblinking 7
Account Aggregation 8
Electronic Authentication 8
Website Hosting 9
Wireless E-Banking 13
E-Banking Risks 14
Transaction/Operations Risk 14
Credit Risk 14
Compliance/Legal Risk 15
Strategic Risk 17
Reputation Risk 17
E-Banking Strategy 19
Audit 21
Security Guidelines 27
Administrative controls 33
Internal Controls 34
Website Content 37
Introduction
This booklet, one of several comprising the FFIEC Information Technology Examination
Handbook (IT Handbook), provides guidance to examiners and financial institutions on
identifying and controlling the risks associated with electronic banking (e-banking)
activities. The booklet primarily discusses e-banking risks from the perspective of the
services or products provided to customers. This approach differs from other booklets
that discuss risks from the perspective of the technology and systems that support
automated information processing. To avoid duplication of material, this booklet refers
the reader to other IT Handbook booklets for detailed explanations of technology-specific
issues or controls.
Examiners may use the examination procedures and request letter items included in this
booklet in appendix A to review risks in the electronic delivery of financial products and
services. These procedures address services and products of varied complexity.
Examiners should adjust the procedures, as appropriate, for the scope of the
examination and the risk profile of the institution. The procedures may be used
independently or in combination with procedures from other IT Handbook booklets or
from agency handbooks covering non-IT areas.
Definition of E-Banking
For this booklet, e-banking is defined as the automated delivery of new and traditional
banking products and services directly to customers through electronic, interactive
communication channels. E-banking includes the systems that enable financial institution
customers, individuals or businesses, to access accounts, transact business, or obtain
information on financial products and services through a public or private network,
including the Internet. Customers access e-banking services using an intelligent
electronic device, such as a personal computer (PC), personal digital assistant (PDA),
automated teller machine (ATM), kiosk, or Touch Tone telephone. While the risks and
controls are similar for the various e-banking access channels, this booklet focuses
specifically on Internet-based services due to the Internet's widely accessible public
network. Accordingly, this booklet begins with a discussion of the two primary types of
Internet websites: informational and transactional.
Informational Websites
Page 1
E-Banking Booklet
• Potential liability for spreading viruses and other malicious code to computers
communicating with the institution's website; and
• Negative public perception if the institution's on-line services are disrupted or if its
website is defaced or otherwise presents inappropriate or offensive material.
Transactional Websites
Page 2
E-Banking Booklet
E-Banking Components
Page 3
E-Banking Booklet
Page 4
E-Banking Booklet
Page 5
E-Banking Booklet
- The Internet banking application processes the transaction against account balance
data through a real time connection to the core banking system or a database of account
balance data, which is updated periodically from the core banking system.
- The Internet banking server has a firewall filtering Internet traffic from its internal
network.
Second, the institution can host all or a large portion of its e-banking systems internally.
A typical configuration for in-house hosted, e-banking services is illustrated below. In this
case, a provider is not between the Internet access and the financial institution's core
processing system. Thus, the institution has day-to-day responsibility for system
administration.
Text Description of Figure 2 This diagram illustrates the transaction flow for one possible
configuration in which the bank hosts the Internet banking application.
Page 6
E-Banking Booklet
In addition to traditional banking products and services, financial institutions can provide
a variety of services that have been designed or adapted to support e-commerce.
Management should understand these services and the risks they pose to the institution.
This section discusses some of the most common support services: weblinking, account
aggregation, electronic authentication, website hosting, payments for e-commerce, and
wireless banking activities.
Weblinking
A large number of financial institutions maintain sites on the World Wide Web. Some
websites are strictly informational, while others also offer customers the ability to perform
financial transactions, such as paying bills or transferring funds between accounts.
Virtually every website contains "weblinks." A weblink is a word, phrase, or image on a
webpage that contains coding that will transport the viewer to a different part of the
website or a completely different website by just clicking the mouse. While weblinks are
a convenient and accepted tool in website design, their use can present certain risks.
Page 7
E-Banking Booklet
Generally, the primary risk posed by weblinking is that viewers can become confused
about whose website they are viewing and who is responsible for the information,
products, and services available through that website. There are a variety of risk
management techniques institutions should consider using to mitigate these risks. These
risk management techniques are for those institutions that develop and maintain their
own websites, as well as institutions that use third-party service providers for this
function. The agencies have issued guidance on weblinking that provides details on risks
and risk management techniques financial institutions should consider.See the
interagency guidance titled "Weblinking: Identifying Risks and Risk Management
Techniques" issued April 23, 2003 by the Federal Deposit Insurance Corporation (FDIC),
National Credit Union Administration (NCUA), Office of the Comptroller of the Currency
(OCC), and Office of Thrift Supervision (OTS) (the agencies) for specific risk and risk
management guidance.
Account Aggregation
Account aggregation is a service that gathers information from many websites, presents
that information to the customer in a consolidated format, and, in some cases, may allow
the customer to initiate activity on the aggregated accounts. The information gathered or
aggregated can range from publicly available information to personal account information
(e.g., credit card, brokerage, and banking data). Aggregation services can improve
customer convenience by avoiding multiple log-ins and providing access to tools that
help customers analyze and manage their various account portfolios. Some aggregators
use the customer-provided user IDs and passwords to sign in as the customer. Once the
customer's account is accessed, the aggregator copies the personal account information
from the website for representation on the aggregator's site (i.e., "screen scraping").
Other aggregators use direct data-feed arrangements with website operators or other
firms to obtain the customer's information. Generally, direct data feeds are thought to
provide greater legal protection to the aggregator than does screen scraping.
Financial institutions are involved in account aggregation both as aggregators and as
aggregation targets. Risk management issues examiners should consider when
reviewing aggregation services include:
• Protection of customer passwords and user IDs - both those used to access the
institution's aggregation services and those the aggregator uses to retrieve customer
information from aggregated third parties - to assure the confidentiality of customer
information and to prevent unauthorized activity,
• Disclosure of potential customer liability if customers share their authentication
information (i.e., IDs and passwords) with third parties, and
• Assurance of the accuracy and completeness of information retrieved from the
aggregated parties' sites, including required disclosures
Page 8
E-Banking Booklet
Electronic Authentication
Verifying the identities of customers and authorizing e-banking activities are integral
parts of e-banking financial services. Since traditional paper-based and in-person identity
authentication methods reduce the speed and efficiency of electronic transactions,
financial institutions have adopted alternative authentication methods, including:
The authentication methods listed above vary in the level of security and reliability they
provide and in the cost and complexity of their underlying infrastructures. As such, the
choice of which technique(s) to use should be commensurate with the risks in the
products and services for which they control access.For example, section 326 of the
USA PATRIOT Act (Pub. L. 107-56) requires financial institutions to implement
reasonable procedures for (1) verifying the identity of any person seeking to open an
account, to the extent reasonable and practicable; (2) maintaining records of the
information used to verify the person's identity, and (3) determining whether the person
appears on any list of known or suspected terrorists or terrorist organizations. See 68
Federal Register 25090 (May 9, 2003); 12 CFR Part 21 (OCC); 12 CFR Parts 208 and
211 (Board); 12 CFR Part 326 (FDIC); 12 CFR Part 563 (OTS), and 12 CFR Part 748
(NCUA). Additional information on customer authentication techniques can be found in
this booklet under the heading "Authenticating E-Banking Customers."
The Electronic Signatures in Global and National Commerce (E-Sign) Act establishes
some uniform federal rules concerning the legal status of electronic signatures and
records in commercial and consumer transactions so as to provide more legal certainty
and promote the growth of electronic commerce.Pub.L. No. 106-229. An electronic
signature may be as simple as a person's typed name or an image of a person's
handwritten signature. The development of secure digital signatures continues to evolve
with some financial institutions either acting as the certification authority for digital
signatures or providing repository services for digital certificates.See OCC Bulletin 99-20:
Certificate Authority Guidance (May 4, 1999).
Website Hosting
Some financial institutions host websites for both themselves as well as for other
businesses. Financial institutions that host a business customer's website usually store,
or arrange for the storage of, the electronic files that make up the website. These files
are stored on one or more servers that may be located on the hosting financial
institution's premises. Website hosting services require strong skills in networking,
Page 9
E-Banking Booklet
security, and programming. The technology and software change rapidly. Institutions
developing websites should monitor the need to adopt new interoperability standards
and protocols such as Extensible Mark-Up Language (XML) to facilitate data exchange
among the diverse population of Internet users.
Risk issues examiners should consider when reviewing website hosting services include
damage to reputation, loss of customers, or potential liability resulting from:
• Downtime (i.e., times when website is not available) or inability to meet service levels
specified in the contract,
• Inaccurate website content (e.g., products, pricing) resulting from actions of the
institution's staff or unauthorized changes by third parties (e.g., hackers),
• Unauthorized disclosure of confidential information stemming from security
breaches, and
• Damage to computer systems of website visitors due to malicious code (e.g., virus,
worm, active content) spread through institution-hosted sites.
Many businesses accept various forms of electronic payments for their products and
services. Financial institutions play an important role in electronic payment systems by
creating and distributing a variety of electronic payment instruments, accepting a similar
variety of instruments, processing those payments, and participating in clearing and
settlement systems. However, increasingly, financial institutions are competing with third
parties to provide support services for e-commerce payment systems. Among the
electronic payments mechanisms that financial institutions provide for e-commerce are
automated clearing house (ACH) debits and credits through the Internet, electronic bill
payment and presentment, electronic checks, e-mail money, and electronic credit card
payments. Additional information on payments systems can be found in other sections of
the IT Handbook.
Most financial institutions permit intrabank transfers between a customer's accounts as
part of their basic transactional e-banking services. However, third-party transfers - with
their heightened risk for fraud - often require additional security safeguards in the form of
additional authentication and payment confirmation.
Bill payment services permit customers to electronically instruct their financial institution
to transfer funds to a business's account at some future specified date. Customers can
make payments on a one-time or recurring basis, with fees typically assessed as a "per
item" or monthly charge. In response to the customer's electronic payment instructions,
the financial institution (or its bill payment provider) generates an electronic transaction -
usually an automated clearinghouse (ACH) credit - or mails a paper check to the
business on the customer's behalf. To allow for the possibility of a paper-based transfer,
Page 10
E-Banking Booklet
financial institutions typically advise customers to make payments effective 3-7 days
before the bill's due date.
Internet-based cash management is the commercial version of retail bill payment.
Business customers use the system to initiate third-party payments or to transfer money
between company accounts. Cash management services also include minimum balance
maintenance, recurring transfers between accounts and on-line account reconciliation.
Businesses typically require stronger controls, including the ability to administer security
and transaction controls among several users within the business.
This booklet discusses the front-end controls related to the initiation, storage, and
transmission of bill payment transactions prior to their entry into the industry's retail
payment systems (e.g., ACH, check processing, etc.). The IT Handbook's "Retail
Payments Systems Booklet" provides additional information regarding the various
electronic transactions that comprise the back end for bill payment processing. The
extent of front-end operating controls directly under the financial institution's control
varies with the system configuration. Some examples of typical configurations are listed
below in order of increasing complexity, along with potential control considerations.
• Financial institutions that do not provide bill payment services, but may direct
customers to select from several unaffiliated bill payment providers.
- Caution customers regarding security and privacy issues through the use of on-line
disclosures or, more conservatively, e-banking agreements.
• Financial institutions that rely on a third-party bill payment provider including Internet
banking providers that subcontract to third parties.
- Set dollar and volume thresholds and review bill payment transactions for
suspicious activity.
- Gain independent audit assurance over the bill payment provider's processing
controls.
- Restrict employees' administrative access to ensure that the internal controls
limiting their capabilities to originate, modify, or delete bill payment transactions are
at least as strong as those applicable to the underlying retail payment system
ultimately transmitting the transaction.
- Restrict by vendor contract and identify the use of any subcontractors associated
with the bill payment application to ensure adequate oversight of underlying bill
payment system performance and availability.
- Evaluate the adequacy of authentication methods given the higher risk associated
with funds transfer capabilities rather than with basic account access.
- Consider the additional guidance contained in the IT Handbook's "Information
Security," "Retail Payment Systems," and "Outsourcing Technology Services"
booklets.
• Financial institutions that use third-party software to host a bill payment application
internally.
- Determine the extent of any independent assessments or certification of the
Page 11
E-Banking Booklet
Person-to-Person Payments
Page 12
E-Banking Booklet
the transaction has to have an account with the payment service, such services may be
offered by an insured financial institution, but are frequently offered by other businesses
as well.
Some of the risk issues examiners should consider when reviewing bill payment,
presentment, and e-mail money services include:
Wireless E-Banking
Wireless banking is a delivery channel that can extend the reach and enhance the
convenience of Internet banking products and services. Wireless banking occurs when
customers access a financial institution's network(s) using cellular phones, pagers, and
personal digital assistants (or similar devices) through telecommunication companies'
wireless networks. Wireless banking services in the United States typically supplement a
financial institution's e-banking products and services.
Wireless devices have limitations that increase the security risks of wireless-based
transactions and that may adversely affect customer acceptance rates. Device limitations
include reduced processing speeds, limited battery life, smaller screen sizes, different
data entry formats, and limited capabilities to transfer stored records. These limitations
combine to make the most recognized Internet language, Hypertext Markup Language
(HTML), ineffective for delivering content to wireless devices. Wireless Markup
Language (WML) has emerged as one of a few common language standards for
developing wireless device content. Wireless Application Protocol (WAP) has emerged
as a data transmission standard to deliver WML content.
Manufacturers of wireless devices are working to improve device usability and to take
advantage of enhanced "third-generation" (3G) services. Device improvements are
anticipated to include bigger screens, color displays, voice recognition applications,
location identification technology (e.g., Federal Communications Commission (FCC)
Enhanced 911), and increased battery capacity. These improvements are geared
towards increasing customer acceptance and usage. Increased communication speeds
and improvements in devices during the next few years should lead to continued
increases in wireless subscriptions.
As institutions begin to offer wireless banking services to customers, they should
consider the risks and necessary risk management controls to address security,
authentication, and compliance issues. Some of the unique risk factors associated with
Page 13
E-Banking Booklet
E-Banking Risks
The practice of holding a check at the institution at which it was deposited (or at an
intermediary institution) and electronically forwarding the essential information on the
check to the institution on which it was written. A truncated check is not returned to the
writer.
Transaction/Operations Risk
Credit Risk
Generally, a financial institution's credit risk is not increased by the mere fact that a loan
is originated through an e-banking channel. However, management should consider
additional precautions when originating and approving loans electronically, including
assuring management information systems effectively track the performance of portfolios
originated through e-banking channels. The following aspects of on-line loan origination
and approval tend to make risk management of the lending process more challenging. If
not properly managed, these aspects can significantly increase credit risk.
Page 14
E-Banking Booklet
• Verifying the customer's identity for on-line credit applications and executing an
enforceable contract;
• Monitoring and controlling the growth, pricing, underwriting standards, and ongoing
credit quality of loans originated through e-banking channels;
• Monitoring and oversight of third-parties doing business as agents or on behalf of the
financial institution (for example, an Internet loan origination site or electronic
payments processor);
• Valuing collateral and perfecting liens over a potentially wider geographic area;
• Collecting loans from individuals over a potentially wider geographic area; and
• Monitoring any increased volume of, and possible concentration in, out-of-area
lending.
Compliance/Legal Risk
Compliance and legal issues arise out of the rapid growth in usage of e-banking and the
Page 15
E-Banking Booklet
• Uncertainty over legal jurisdictions and which state's or country's laws govern a
specific e-banking transaction,
• Delivery of credit and deposit-related disclosures/notices as required by law or
regulation,
• Retention of required compliance documentation for on-line advertising, applications,
statements, disclosures and notices; and
• Establishment of legally binding electronic agreements.
Page 16
E-Banking Booklet
Institutions that offer e-banking services, both informational and transactional, assume a
higher level of compliance risk because of the changing nature of the technology, the
speed at which errors can be replicated, and the frequency of regulatory changes to
address e-banking issues. The potential for violations is further heightened by the need
to ensure consistency between paper and electronic advertisements, disclosures, and
notices. Additional information on compliance requirements for e-banking can be found
on the agencies' websites and in references contained in appendix C.
Strategic Risk
A financial institution's board and management should understand the risks associated
with e-banking services and evaluate the resulting risk management costs against the
potential return on investment prior to offering e-banking services. Poor e-banking
planning and investment decisions can increase a financial institution's strategic risk.
Early adopters of new e-banking services can establish themselves as innovators who
anticipate the needs of their customers, but may do so by incurring higher costs and
increased complexity in their operations. Conversely, late adopters may be able to avoid
the higher expense and added complexity, but do so at the risk of not meeting customer
demand for additional products and services. In managing the strategic risk associated
with e-banking services, financial institutions should develop clearly defined e-banking
objectives by which the institution can evaluate the success of its e-banking strategy. In
particular, financial institutions should pay attention to the following:
Page 17
E-Banking Booklet
Reputation Risk
Management should review each of the processes discussed in this section to adapt and
expand the institution's risk management practices as necessary to address the risks
posed by e-banking activities. While these processes mirror those discussed in other
Page 18
E-Banking Booklet
booklets of the IT Handbook, they are discussed below from an e-banking perspective.
For more detailed information on each of these processes, the reader should review the
corresponding booklet of the IT Handbook.
Action Summary
The board of directors and senior management are responsible for developing the
institution's e-banking business strategy, which should include:
• The rationale and strategy for offering e-banking services including informational,
transactional, or e-commerce support;
• A cost-benefit analysis, risk assessment, and due diligence process for
evaluating e-banking processing alternatives including third-party providers;
• Goals and expectations that management can use to measure the e-banking
strategy's effectiveness; and
• Accountability for the development and maintenance of risk management policies
and controls to manage e-banking risks and for the audit of e-banking activities
E-Banking Strategy
Financial institution management should choose the level of e-banking services provided
to various customer segments based on customer needs and the institution's risk
assessment considerations. Institutions should reach this decision through a board-
approved, e-banking strategy that considers factors such as customer demand,
competition, expertise, implementation expense, maintenance costs, and capital support.
Some institutions may choose not to provide e-banking services or to limit e-banking
services to an informational website. Financial institutions should periodically re-evaluate
this decision to ensure it remains appropriate for the institution's overall business
strategy. Institutions may define success in many ways including growth in market share,
expanding customer relationships, expense reduction, or new revenue generation. If the
financial institution determines that a transactional website is appropriate, the next
decision is the range of products and services to make available electronically to its
customers.OTS-regulated institutions must send a notice in conformance with 12 CFR
555, "Electronic Operations" prior to establishing a transactional website. To deliver
those products and services, the financial institution may have more than one website or
Page 19
E-Banking Booklet
Financial institutions should base any decision to implement e-banking products and
services on a thorough analysis of the costs and benefits associated with such action.
Some of the reasons institutions offer e-banking services include:
The individuals conducting the cost-benefit analysis should clearly understand the risks
associated with e-banking so that cost considerations fully incorporate appropriate risk
mitigation controls. Without such expertise, the cost-benefit analysis will most likely
underestimate the time and resources needed to properly oversee e-banking activities,
particularly the level of technical expertise needed to provide competent oversight of in-
house or outsourced activities. In addition to the obvious costs for personnel, hardware,
software, and communications, the analysis should also consider:
Page 20
E-Banking Booklet
Once an institution implements its e-banking strategy, the board and management
should periodically evaluate the strategy's effectiveness. A key aspect of such an
evaluation is the comparison of actual e-banking acceptance and performance to the
institution's goals and expectations. Some items that the institution might use to monitor
the success and cost effectiveness of its e-banking strategy include:
• Revenue generated,
• Website availability percentages,
• Customer service volumes,
• Number of customers actively using e-banking services,
• Percentage of accounts signed up for e-banking services, and
• The number and cost per item of bill payments generated.
Without clearly defined and measurable goals, management will be unable to determine
if e-banking services are meeting the customers' needs as well as the institution's growth
and profitability expectations.
In evaluating the effectiveness of the institution's e-banking strategy, the board should
also consider whether appropriate policies and procedures are in effect and whether
risks are properly controlled. Unless the initial strategy establishes clear accountability
for the development of policies and controls, the board will be unable to determine where
and why breakdowns in the risk control process occurred.
Audit
• Scope and coverage, including the entire e-banking process as applicable (i.e.,
network configuration and security, interfaces to legacy systems, regulatory
Page 21
E-Banking Booklet
Action Summary
The board and senior management must provide effective oversight of third-party
vendors providing e-banking services and support. Effective oversight requires that
institutions ensure the following practices are in place:
• Effective due diligence in the selection of new service providers that considers
financial condition, experience, expertise, technological compatibility, and
customer satisfaction;
• Written contracts with specific provisions protecting the privacy and security of an
institution's data, the institution's ownership of the data, the right to audit security
and controls, and the ability to monitor the quality of service, limit the institution's
potential liability for acts of the service provider, and terminate the contract;
• Appropriate processes to monitor vendor's ongoing performance, service quality,
security controls, financial condition, and contract compliance; and
• Monitoring reports and expectations including incidence response and
notification.
Page 22
E-Banking Booklet
financial institutions from understanding and managing the risks associated with TSP
services. In fact, service providers may introduce additional risks and interdependencies
that financial institutions must understand and manage.
Table 2 below summarizes some of the advantages and disadvantages of supporting
technology-based products and services in-house versus contracting for support with a
TSP. Regardless of whether an institution's e-banking services are outsourced or
processed in-house, the institution should periodically review whether this arrangement
continues to meet current and anticipated future needs.
Table 2: Advantages and Disadvantages of Common Processing Alternatives
Direct oversight of
risks.
Direct oversight of
risks.
Page 23
E-Banking Booklet
As with all outsourced financial services, institutions must have a formal contract with the
TSP that clearly addresses the duties and responsibilities of the parties involved. In the
past, some institutions have had informal security expectations for software vendors or
Internet access providers that had never been committed to writing. This lack of clear
responsibilities and consensus has lead to breakdowns in internal controls and allowed
security incidents to occur. The IT Handbook's "Outsourcing Technology Services
Booklet" lists detailed contract recommendations for TSPs. Institutions should tailor
these recommendations to e-banking services as necessary. Specific examples of e-
banking contract issues include:
Page 24
E-Banking Booklet
• Business continuity plans for e-banking services including alternate processing lines,
backup servers, emergency operating procedures, etc.;
• Performance of, and access to, vulnerability assessments, penetration tests, and
financial and operations audits;Limitations on subcontracting of services, either
domestically or internationally;
• Choice of law and jurisdiction for dispute resolution and access to information by the
financial institution and its regulators; and
• For foreign-based vendors or service providers (i.e., country of residence is different
from that of the institution), in addition to the above items, contract options triggered
by increased risks due to adverse economic or political developments in the vendor's
or service provider's home country.
Financial institutions that outsource e-banking technical support must provide sufficient
oversight of service providers' activities to identify and control the resulting risks. The key
to good oversight typically lies in effective MIS. However, for MIS to be effective the
financial institution must first establish clear performance expectations. Wherever
possible, these expectations should be clearly documented in the service contract or an
addendum to the contract. Effective and timely MIS can alert the serviced institution to
developing service, financial or security problems at the vendor - problems that might
require execution of contingency plans supporting a change in vendor or in the existing
service relationship.
The type and frequency of monitoring reports needed varies, depending on the
complexity of the services provided and the division of responsibilities between the
institution and its service provider(s). Service providers can build MIS capabilities into the
administrative modules of their application, provide on-line reports, or they can provide
periodic written reports. Some examples of items that might be tracked by e-banking
monitoring reports are listed below:
E-banking service availability. Reports might include statistics regarding the frequency
and duration of service disruptions, including the reasons for any service disruptions
(maintenance, equipment/network problems, security incidents, etc.); "up time" and
"down time" percentages for website and e-banking services; and volume and type of
website access problems reported by e-banking customers.
Activity levels and service volumes. Reports might include number of accounts serviced,
number and percentage of new, active, or inactive accounts; breakdown of intrabank
transfers by number, dollar size, and account type; bill payment activity by number,
average dollar, and recurring versus one-time payments; volume of associated ACH
returns and rejects, fee breakdown by source and type; and activity on informational
website usage by webpages viewed.
Performance efficiency. Reports might include average response times by time of day
(including complaints about slow response); bill payment activity by check versus ACH;
server capacity utilization; customer service contacts by type of inquiry and average time
to resolution; and losses from errors, fraud, or repudiated items.
Page 25
E-Banking Booklet
Security incidents. Reports might include volume of rejected log-on attempts, password
resets, attempted and successful penetration attempts, number and type of trapped
viruses or other malicious code, and any physical security breaches.
Vendor stability. Reports might include quarterly or annual financial reports, number of
new or departing customers, changes in systems or equipment, and employee turnover
statistics, including any changes in management positions.
Quality Assurance. Reports on performance, audit results, penetration tests, and
vulnerability assessments, including servicer actions to address any identified
deficiencies.
Action Summary
Page 26
E-Banking Booklet
Security Guidelines
Financial institutions must comply with the "Guidelines Establishing Standards for
Safeguarding Customer Information" (guidelines) as issued pursuant to the Gramm-
Leach-Bliley Act of 1999 (GLBA).The guidelines were published in the Federal Register
on February 1, 2001, and effective on July 1, 2001. When financial institutions introduce
e-banking or related support services, management must re-assess the impact to
customer information under the GLBA. The guidelines require financial institutions to:
Page 27
E-Banking Booklet
• Identifying and assessing the risks that may threaten consumer information;In order
to perform a risk assessment, a financial institution gathers information about the
internal and external environment, analyzes that information, and provides a
hierarchical list of risks to be mitigated. This assessment guides the testing program,
indicating which controls should be subject to more frequent or rigorous testing.
• Developing a written plan containing policies and procedures to manage and ontrol
these risks;
• Implementing and testing the plan; and
• Adjusting the plan on a continuing basis to account for changes in technology, the
sensitivity of customer information, and internal or external threats to information
security.
The guidelines also outline the responsibilities of management to oversee the protection
of customer information including the security of customer information maintained or
processed by service providers. Oversight of third-party service providers and vendors is
discussed in this booklet under the headings "Board and Management Oversight" and
"Managing Outsourcing Relationships." Additional information on the guidelines can be
found in the IT Handbook's "Management Booklet." The IT Handbook's "Information
Security Booklet" presents additional information on the risk assessment process and
information processing controls.
The guidelines required by the GLBA apply to customer information stored in electronic
form as well as paper-based records. Examination procedures specifically addressing
compliance with the GLBA guidelines can be accessed through the agency websites
listed in the reference section of this booklet. Although the guidelines supporting GLBA
define customer as "a consumer who has a customer relationship with the institution,"
management should consider expanding the written information security program to
cover the institution's own confidential records as well as confidential information about
its commercial customers.
Page 28
E-Banking Booklet
defensive measures are based on knowledge of the attacker's capabilities and goals,
as well as the probability of attack.
• Up-to-date equipment inventories, and network maps. Financial institutions should
have inventories of machines and software sufficient to support timely security
updating and audits of authorized equipment and software. In addition, institutions
should understand and document the connectivity between various network
components including remote users, internal databases, and gateway servers to
third parties. Inventories of hardware and the software on each system can
accelerate the institution's response to newly discovered vulnerabilities and support
the proactive identification of unauthorized devices or software.
• Rapid response capability to react to newly discovered vulnerabilities. Financial
institutions should have a reliable process to become aware of new vulnerabilities
and to react as necessary to mitigate the risks posed by newly discovered
vulnerabilities. Software is seldom flawless. Some of those flaws may represent
security vulnerabilities, and the financial institution may need to correct the software
code using temporary fixes, sometimes called a "patch." In some cases,
management may mitigate the risk by reconfiguring other computing devices.
Frequently, the financial institution must respond rapidly, because a widely known
vulnerability is subject to an increasing number of attacks.
• Network access controls over external connections. Financial institutions should
carefully control external access through all channels including remote dial-up, virtual
private network connections, gateway servers, or wireless access points. Typically,
firewalls are used to enforce an institution's policy over traffic entering the
institution's network. Firewalls are also used to create a logical buffer, called a
"demilitarized zone," or DMZ, where servers are placed that receive external traffic.
The DMZ is situated between the outside and the internal network and prevents
direct access between the two. Financial institutions should use firewalls to enforce
policies regarding acceptable traffic and to screen the internal network from directly
receiving external traffic.
• System hardening. Financial institutions should "harden" their systems prior to
placing them in a production environment. Computer equipment and software are
frequently shipped from the manufacturer with default configurations and passwords
that are not sufficiently secure for a financial institution environment. System
"hardening" is the process of removing or disabling unnecessary or insecure
services and files. A number of organizations have current efforts under way to
develop security benchmarks for various vendor systems. Financial institutions
should assess their systems against these standards when available.
• Controls to prevent malicious code. Financial institutions should reduce the risks
posed by malicious code by, among other things, educating employees in safe
computing practices, installing anti-virus software on servers and desktops,
maintaining up-to-date virus definition files, and configuring their systems to protect
against the automatic execution of malicious code. Malicious code can deny or
degrade the availability of computing services; steal, alter, or insert information; and
destroy any potential evidence for criminal prosecution. Various types of malicious
code exist including viruses, worms, and scripts using active content.
• Rapid intrusion detection and response procedures. Financial institutions should
have mechanisms in place to reduce the risk of undetected system intrusions.
Computing systems are never perfectly secure. When a security failure occurs and
an attacker is "in" the institution's system, only rapid detection and reaction can
Page 29
E-Banking Booklet
minimize any damage that might occur. Techniques used to identify intrusions
include intrusion detection systems (IDS) for the network and individual servers (i.e.,
host computer), automated log correlation and analysis, and the identification and
analysis of operational anomalies.
• Physical security of computing devices. Financial institutions should mitigate the risk
posed by unauthorized physical access to computer equipment through such
techniques as placing servers and network devices in areas that are available only to
specifically authorized personnel and restricting administrative access to machines in
those limited access areas. An attacker's physical access to computers and network
devices can compromise all other security controls. Computers used by vendors and
employees for remote access to the institution's systems are also subject to
compromise. Financial institutions should ensure these computers meet security and
configuration requirements regardless of the controls governing remote access.
• User enrollment, change, and termination procedures. Financial institutions should
have a strong policy and well-administered procedures to positively identify
authorized users when given initial system access (enrollment) and, thereafter, to
limit the extent of their access to that required for business purposes, to promptly
increase or decrease the degree of access to mirror changing job responsibilities,
and to terminate access in a timely manner when access is no longer needed.
• Authorized use policy. Each financial institution should have a policy that addresses
the systems various users can access, the activities they are authorized to perform,
prohibitions against malicious activities and unsafe computing practices, and
consequences for noncompliance. All internal system users and contractors should
be trained in, and acknowledge that they will abide by, rules that govern their use of
the institution's system.
• Training. Financial institutions should have processes to identify, monitor, and
address training needs. Each financial institution should train their personnel in the
technologies they use and the institution's rules governing the use of that technology.
Technical training is particularly important for those who oversee the key technology
controls such as firewalls, intrusion detection, and device configuration. Security
awareness training is important for all users, including the institution's e-banking
customers.
• Independent testing. Financial institutions should have a testing plan that identifies
control objectives; schedules tests of the controls used to meet those objectives;
ensures prompt corrective action where deficiencies are identified; and provides
independent assurance for compliance with security policies. Security tests are
necessary to identify control deficiencies. An effective testing plan identifies the key
controls, then tests those controls at a frequency based on the risk that the control is
not functioning. Security testing should include independent tests conducted by
personnel without direct responsibility for security administration. Adverse test
results indicate a control is not functioning and cannot be relied upon. Follow-up can
include correction of the specific control, as well as a search for, and correction of, a
root cause. Types of tests include audits, security assessments, vulnerability scans,
and penetration tests.
Page 30
E-Banking Booklet
Page 31
E-Banking Booklet
Authentication methods that depend on more than one factor are typically more difficult
to compromise than single-factor systems therefore suggesting a higher reliability of
authentication. For example, the use of a customer ID and password is considered
single-factor authentication since both items are something the user knows. A common
example of two-factor authentication is found in most ATM transactions where the
customer is required to provide something the user possesses (i.e., the card) and
something the user knows (i.e., the PIN). Single factor authentication alone may not be
adequate for sensitive communications, high dollar value transactions, or privileged user
access (i.e., network administrators). Multi-factor techniques may be necessary in those
cases. Institutions should recognize that a single factor system may be "tiered" (e.g.,
require multiple passwords) to enhance security without the implementation of a true
two-factor system.A "tiered" single factor authentication system would include the use of
multiple levels of a single factor (e.g., the use of two or more passwords or PINs
employed at different points in the authentication process). Tiering may not be as strong
as two-factor authentication because the means used to steal the first password may be
equally effective against the second password.
Password Administration
Despite the concerns regarding single-factor authentication, many e-banking services
still rely on a customer ID and password to authenticate an existing customer. Some
security professionals criticize passwords for a number of reasons including the need for
passwords whose strength places the password beyond the user's ability to comply with
other password policies such as not writing the password down. Password-cracking
software and log-on scripts can frequently guess passwords regardless of the use of
encryption. Popular acceptance of this form of authentication rests on its ease of use and
its adaptability within existing infrastructures.
Financial institutions that allow customers to use passwords with short character length,
readily identifiable words or dates, or widely used customer information (e.g., Social
Security numbers) may be exposed to excessive risks in light of the security threats from
hackers and fraudulent insider abuse. Stronger security in password structure and
implementation can help mitigate these risks. Another way to mitigate the risk of scripted
attacks is to make the user ID more random and not based on any easily determined
format or commonly available information. There are three aspects of passwords that
Page 32
E-Banking Booklet
contribute to the security they provide: password secrecy, password length and
composition, and administrative controls.
Password secrecy. The security provided by password-only systems depends on the
secrecy of the password. If another party obtains the password, he or she can perform
the same transactions as the intended user. Passwords can be compromised because of
customer behavior or techniques that capture passwords as they travel over the Internet.
Attackers can also use well-known weaknesses to gain access to a financial institution's
(or its service provider's) Internet-connected systems and obtain password files.
Because of these vulnerabilities, passwords and password files should be encrypted
when stored or transmitted over open networks such as the Internet. The system should
prohibit any user, including the system or security administrator, from printing or viewing
unencrypted passwords. In addition, security administrators should ensure password
files are protected and closely monitored for compromise because if stolen an attacker
may be able to decrypt an encrypted password file.
Financial institutions need to emphasize to customers the importance of protecting the
password's confidentiality. Customers should be encouraged to log off unattended
computers that have been used to access on-line banking systems especially if they
used public access terminals such as in a library, institution lobby, or Internet cafe.
Password length and composition. The appropriate password length and composition
depends on the value or sensitivity of the data protected by the password and the ability
of the user to maintain the password as a shared secret. Common identification items -
for example, dictionary words, proper names, or social security numbers - should not be
used as passwords. Password composition standards that require numbers or symbols
in the sequence of a password, in conjunction with both upper and lower case alphabetic
characters, provide a stronger defense against password-cracking programs. Selecting
letters that do not create a common word but do create a mnemonic - for example the
first letter of each word in a favorite phrase, poem, or song - can create a memorable
password that is difficult to crack.
Systems linked to open networks, like the Internet, are subject to a greater number of
individuals who may attempt to compromise the system. Attackers may use automated
programs to systematically generate millions of alphanumeric combinations to learn a
customer's password (i.e., "brute force" attack). A financial institution can reduce the risk
of password compromise by communicating and enforcing prudent password selection,
providing guidance to customers and employees, and careful protection of the password
file.
Password administration controls. When evaluating password-based e-banking systems,
management should consider whether the authentication system's control capabilities
are consistent with the financial institution's security policy. This includes evaluating such
areas as password length and composition requirements, incorrect log-on lockout,
password expiration, repeat password usage, and encryption requirements, as well as
the types of activity monitoring and exception reports in use.
Each financial institution must evaluate the risks associated with its authentication
methods given the nature of the transactions and information accessed. Financial
institutions that assess the risk and decide to rely on passwords, should implement
strong password administration standards.
Administrative controls
Page 33
E-Banking Booklet
Action Summary
E-banking activities are subject to the same risks as other banking processes. However,
the processes used to monitor and control these risks may vary because of e-banking's
heavy reliance on automated systems and the customer's direct access to the
institution's computer network. Some of the controls that help assure the integrity and
availability of e-banking systems are discussed below.
Internal Controls
Page 34
E-Banking Booklet
firewalls should not be the only ones responsible for checking compliance with security
policies related to network access. Customer service employees with access to
confidential customer account information should not be responsible for daily
reconcilements of e-banking transactions.
Dual controls. Some sensitive transactions necessitate making more than one employee
approve the transaction before authorizing the transaction. Large electronic funds
transfers or access to encryption keys are examples of two e-banking activities that
would typically warrant dual controls.
Reconcilements. E-banking systems should provide sufficient accounting reports to allow
employees to reconcile individual transactions to daily transaction totals.
Suspicious activity. Financial institutions should establish fraud detection controls that
could prompt additional review and reporting of suspicious activity. Some potential
concerns to consider include false or erroneous application information, large check
deposits on new e-banking accounts, unusual volume or size of funds transfers, multiple
new accounts with similar account information or originating from the same Internet
address, and unusual account activity initiated from a foreign Internet address. Security-
and fraud-related events may require the filing of a SAR with the Financial Crimes
Enforcement Network (FinCEN).
Similar website names. Financial institutions should exercise care in selecting their
website name(s) in order to reduce possible confusion with those of other Internet sites.
Institutions should periodically scan the Internet to identify sites with similar names and
investigate any that appear to be posing as the institution. Suspicious sites should be
reported to appropriate criminal and regulatory authorities.
Error checks. E-banking activities provide limited opportunities for customers to ask
questions or clarify their intentions regarding a specific transaction. Institutions can
reduce customer confusion and the potential for unintended transactions by requiring
written contracts explaining rights and responsibilities, by providing clear disclosures and
on-line instructions or help functions, and by incorporating proactive confirmations into
the transaction initiation process.
On-line instructions, help features, and proactive confirmations are typically part of the
basic design of an e-banking system and should be evaluated as part of the initial due
diligence process. On-line forms can include error checks to identify common mistakes in
various fields. Proactive confirmations can require customers to confirm their actions
before the transaction is accepted for processing. For example, a bill payment customer
would enter the amount and date of payment and specify the intended recipient. But,
before accepting the customer's instructions for processing, the system might require the
customer to review the instructions entered and then confirm the instruction's accuracy
by clicking on a specific box or link.
Alternate channel confirmations. Financial institutions should consider the need to have
customers confirm sensitive transactions like enrollment in a new on-line service, large
funds transfers, account maintenance changes, or suspicious account activity. Positive
confirmations for sensitive on-line transactions provide the customer with the opportunity
to help catch fraudulent activity. Financial institutions can encourage customer
participation in fraud detection and increase customer confidence by sending
confirmations of certain high-risk activities through additional communication channels
such as the telephone, e-mail, or traditional mail.
Page 35
E-Banking Booklet
Based on activity volumes, number of customer effected, and the availability of alternate
service channels (branches, checks, etc.), some institutions may not consider e-banking
services as "mission critical" warranting a high priority in its business continuity plan.
Management should periodically reassess this decision to ensure the supporting
rationale continues to reflect actual growth and expansion in e-banking services.
Action Summary
• Clearly identify the official name of the financial institution providing the e-
banking services;
• Properly disclose their customer privacy and security policies on their websites;
and
• Ensure that advertisements, notices, and disclosures are in compliance with
Page 36
E-Banking Booklet
Financial institutions should comply with all legal requirements relating to e-banking,
including the responsibility to provide their e-banking customers with appropriate
disclosures and to protect customer data. Failure to comply with these responsibilities
could result in significant compliance, legal, or reputation risk for the financial institution.
Financial institutions may choose to use a name different from their legal name for their
e-banking operations. Since these trade names are not the institution's official corporate
title, information on the website should clearly identify the institution's legal name and
physical location. This is particularly important for websites that solicit deposits since
persons may inadvertently exceed deposit insurance limits. The risk management
techniques financial institutions should use are based on an "Interagency Statement for
Branch Names" issued May 1, 1998.
Financial institutions that use trade names for e-banking operations should:
• Disclose clearly and conspicuously, in signs, advertising, and similar materials that
the facility is a division or operating unit of the insured institution;
• Use the legal name of the insured institution for legal documents, certificates of
deposit, signature cards, loan agreements, account statements, checks, drafts, and
other similar documents; and
• Train staff of the insured institution regarding the possibility of customer confusion
with respect to deposit insurance.
Disclosures must be clear, prominent, and easy to understand. Examples of how Internet
disclosures may be made conspicuous include using large font or type that is easily
viewable when a page is first opened; inserting a dialog page that appears whenever a
customer accesses a webpage; or placing a simple graphic near the top of the page or in
close proximity to the financial institution's logo. These examples are only some of the
possibilities for conspicuous disclosures given the available technology. Front-line
employees (e.g., call center staff) should be trained to ensure that customers understand
these disclosures and mitigate confusion associated with multiple trade names.
Website Content
Financial institutions can take a number of steps to avoid customer confusion associated
with their website content. Some examples of information a financial institution might
provide to its customers on its website include:
Page 37
E-Banking Booklet
• The name of the financial institution and the location of its main office (and branch
offices if applicable);
• The identity of the primary financial institution supervisory authority responsible for
the supervision of the financial institution's main office;
• Instructions on how customers can contact the financial institution's customer service
center regarding service problems, complaints, suspected misuse of accounts, etc.;
• Instructions on how to contact the applicable supervisor to file consumer complaints;
and
• Instructions for obtaining information on deposit insurance coverage and the level of
protection that the insurance affords, including links to the FDIC or NCUA websites
at http://www.fdic.gov or www.ncua.gov, respectively.
The general requirements and controls that apply to paper-based transactions also apply
to electronic financial services. Consumer financial services regulations generally require
that institutions send, provide, or deliver disclosures to consumers as opposed to merely
making the disclosures available. Financial institutions are permitted to provide such
disclosures electronically if they obtain consumers' consent in a manner consistent with
the requirements of the federal Electronic Signatures in Global and National Commerce
Act (the E-Sign Act). The Federal Reserve Board has issued interim rules providing
guidance on how the E-Sign Act applies to the consumer financial services and fair
lending laws and regulations administered by the Board.66 Federal Register 17,779
(April 4, 2001) (Regulation B, Equal Credit Opportunity); 66 Federal Register 17.786
(April 4, 2001) (Regulation E, Electronic Fund Transfers); 66 Federal Register. 17,795
(April 4, 2001) (Regulation DD, Truth in Savings); 66 Federal Register 17,322 (March 30,
2001) (Regulation M, Consumer Leasing); 66 Federal Register 17,329 (March 30, 2001)
(Regulation Z, Truth in Lending). However mandatory compliance with the interim rules
was not required at the time of this booklet's publication.66 Federal Register 41,439
(August 8, 2001) (lifting mandatory compliance date). Financial institutions may provide
electronic disclosures under their existing policies or practices, or may follow the interim
rules, until the Board issues permanent rules.
When disclosures are required to be in writing, the E-Sign Act requires that financial
Page 38
E-Banking Booklet
Page 39
E-Banking Booklet
Endnotes
[1] Under the Electronic Signatures in Global and National Commerce Act, Pub. L.
106-229, (E-SIGN Act), to obtain effective consumer consent to receiving
electronic disclosures, financial institutions must among other things inform
consumers of the hardware and software requirements for retention of electronic
records that will be provided as disclosures. 15 USC 7001(c)(1)(B). This
requirement should be carefully considered by institutions whose customers wish
to use wireless devices with limited storage as their primary access device.
[2] The Act specifically provides that an oral communication will not qualify as an
"electronic record." 15 USC 7001(c)(6). The treatment of voice recognition
technology under this provision is uncertain.
Page 40
E-Banking Booklet
The examiner's primary goal in reviewing e-banking activities is to determine whether the
institution is providing e-banking products and services in a safe and sound manner that
supports compliance with consumer-protection regulations. This determination is based
on whether the institution's risk management practices are commensurate with the level
of risk in its e-banking activities.
The e-banking examination procedures are a tool to help examiners reach conclusions
regarding the effectiveness of an institution's risk management of e-banking activities.
Examiners should use their judgment, consistent with the institution's supervisory
strategy, in selecting applicable examination objectives and determining the need for
specific testing of controls
controls. Examiners may rely on the work of auditors and consultants
deemed independent and competent in establishing their examination scope.
The examination procedures that follow focus on the risks inherent in the processes and
technologies supporting e-banking products and services. They supplement, but do not
replace, procedures from other IT Handbook booklets that apply to general IT activities
(e.g., program development and maintenance, networking, information security, etc.).
Depending on the scope of coverage targeted, examiners should consider using these
procedures in combination with others from the IT Handbook and related issuances.
The structure of the e-banking examination procedures parallels the structure of the
narrative portion of this booklet. The procedures cover:
Depending on the complexity of the institution's activities and the scope of prior reviews,
it is generally not necessary to complete all of the examination objectives or procedures
in order to reach conclusions on the effectiveness of the financial institution's risk
management processes. The procedures are designed for conducting targeted,
integrated reviews of new or significantly expanded e-banking services. However, for
follow-up activities or e-banking reviews conducted as part of a comprehensive review of
an institution's IT activities, examiners should customize their e-banking coverage to
avoid duplication of topics covered in other examination programs.
This section of the booklet also includes discussion points examiners can use as a
Page A-1
E-Banking Booklet
Page A-2
E-Banking Booklet
party, management should plan for recovery of critical e-banking technology and
business functions and develop alternate operating processes for use during service
disruptions.
Insurance - A review of insurance coverage may be in order to determine if existing
policies specifically cover or exclude activities conducted over open networks like the
Internet.
Expertise - The financial institution should ensure it has the proper level of expertise to
make business decisions regarding e-banking and network security. The board of
directors and senior management may need to enhance their understanding of
technology issues. If such expertise is not available in-house, the institution should
consider engaging outside expertise.
General Procedures
Objective 1: Determine the scope for the examination of the institution's e-banking
activities consistent with the nature and complexity of the institution's operations.
spacer
1. Review the following documents to identify previously noted issues related to the e-
banking area that require follow-up:
2. Identify the e-banking products and services the institution offers, supports, or
provides automatic links to (i.e., retail, wholesale, investment, fiduciary, e-commerce
support, etc.).
4. Identify third-party providers and the extent and nature of their processing or support
Page A-3
E-Banking Booklet
services.
5. Discuss with management or review MIS or other monitoring reports to determine the
institution's recent experience and trends for the following:
6. Review audit and consultant reports, management's responses, and problem tracking
systems to identify potential issues for examination follow-up. Possible sources include:
• Internal and external audit reports and SSAE-16 Attestation reports and reviews for
service providers,
• Security reviews/evaluations from internal risk review or external consultants
(includes vulnerability and penetration testing), and
• Findings from GLBA security and control tests and annual GLBA reports to the
board.
8. Review the institution's e-banking site(s) to gain a general understanding of the scope
of e-banking activities and the website's organization, structure, and operability.
Page A-4
E-Banking Booklet
10. Based on the findings from the previous steps, determine the scope of the e-banking
review. Discuss, as appropriate, with the examiner or office responsible for supervisory
oversight of the institution.
Select from among the following examination objectives and procedures those that are
appropriate to the examination's scope. When more in-depth coverage of an area is
warranted, examiners should select procedures from other booklets of the IT Handbook
as necessary (e.g., "Information Security Booklet," "Retail Payments Systems Booklet,"
etc.). For more complex e-banking environments, examiners may need to integrate IT
coverage with business line-specific coverage. In those cases, examiners should consult
other subject matter experts and consider inclusion of the member agency's expanded
procedures (e.g., compliance, retail lending, fiduciary/asset management, etc.).
1. Evaluate the institution's short- and long-term strategies for e-banking products and
services. In assessing the institution's planning processes, consider whether:
• The scope and type of e-banking services are consistent with the institution's overall
mission, strategic goals, operating plans, and risk tolerance;
• The institution's MIS is adequate to measure the success of e-banking strategies
based on clearly defined organizational goals and objectives;
• Management's understanding of industry standards is sufficient to ensure
compatibility with legacy systems;
• Cost-benefit analyses of e-banking activities consider the costs of start-up,
operation, administration, upgrades, customer support, marketing, risk management,
monitoring, independent testing, and vendor oversight (if applicable);
• Management's evaluation of security risks, threats, and vulnerabilities is realistic and
consistent with institution's risk profile;
Page A-5
E-Banking Booklet
• Management's knowledge of federal and state laws and regulations as they pertain
to e-banking is adequate; and
• A process exists to periodically evaluate the institution's e-banking product mix and
marketing successes and link those findings to its planning process.
3. Assess the level of oversight by the board and management in ensuring that planning
and monitoring are sufficiently robust to address heightened risks inherent in e-banking
products and services. Consider whether:
Page A-6
E-Banking Booklet
• Senior management evaluates whether technologies and products are in line with
the financial institution's strategic goals and meet market needs;
• Senior management periodically evaluates e-banking performance relative to
original/revised project plans;
• Senior management has developed, as appropriate, exit strategies for high-risk
activities; and
• Institution personnel have the proper skill sets to evaluate, select, and implement e-
banking technology.
5. Determine whether audit coverage of e-banking activities is appropriate for the type of
services offered and the level of risk assumed. Consider the frequency of e-banking
reviews, the adequacy of audit expertise relative to the complexity of e-banking activities,
the extent of functions outsourced to third-party providers. The audit scope should
include:
Page A-7
E-Banking Booklet
Objective 3: Determine the quality of the institution's risk management over outsourced
technology services.
• Strategic and business plans are consistent with outsourcing activity, and
• Vendor information was gathered and analyzed prior to signing the contract, and the
analysis considered the following:
Vendor reputation;
Financial condition;
Costs for development, maintenance, and support;
Internal controls and recovery processes; and
Ability to provide required monitoring reports.
2. Determine whether the institution has reviewed vendor contracts to ensure that the
responsibilities of each party are appropriately identified. Consider the following
provisions if applicable:
Page A-8
E-Banking Booklet
3. Assess the adequacy of ongoing vendor oversight. Consider whether the institution's
oversight efforts include:
1. Determine whether the institution's written security program for customer information
required by GLBA guidelines includes e-banking products and services.
Page A-9
E-Banking Booklet
Page A-10
E-Banking Booklet
4. Determine the adequacy of the institution's authentication methods and need for multi-
factor authentication relative to the sensitivity of systems or transactions. Consider the
following processes:
• Account access
• Intrabank funds transfer
• Account maintenance
• Electronic bill payment
• Corporate cash management
• Other third-party payments or asset transfers
Page A-11
E-Banking Booklet
user IDs.
7. Evaluate the appropriateness of incident response plans. Consider whether the plans
include:
• A response process that assures prompt notification of senior management and the
board as dictated by the probable severity of damage and potential monetary loss
related to adverse events;
• Adequate outreach strategies to inform the media and customers of the event and
any corrective measures;
• Consideration of legal liability issues as part of the response process, including
notifications of customers specifically or potentially affected; and
• Information-sharing procedures to bring security breaches to the attention of
appropriate management and external entities (e.g., regulatory agencies, Suspicious
Activity Reports, information-sharing groups, law enforcement, etc.).
• Independent audits
• Vulnerability assessments
• Penetration testing
Page A-12
E-Banking Booklet
3. Determine whether audit trails for e-banking activities are sufficient to identify the
source of transactions. Consider whether audit trails can identify the source of the
following:
4. Evaluate the physical security over e-banking equipment, media, and communication
lines.
Page A-13
E-Banking Booklet
• Adequate analysis and mitigation of any single points of failure for critical networks;
• Strategies to recover hardware, software, communication links, and data files; and
• Regular testing of back-up agreements with external vendors or critical suppliers.
1. Determine how the institution stays informed on legal and regulatory developments
associated with e-banking and thus ensures e-banking activities comply with appropriate
consumer compliance regulations. Consider:
• Existence of a process for tracking current litigation and regulations that could affect
the institution's e-banking activities;
• Assignment of personnel responsible for monitoring e-banking legislation and the
requirements of or changes to compliance regulations; and
• Inclusion of e-banking activity and website content in the institution's compliance
management program.
2. Review the website content for inclusion of federal deposit insurance logos if insured
depository services are offered (12 CFR 328 or 12 CFR 740).
3. Review the website content for inclusion of the following information which institutions
should consider to avoid customer confusion and communicate customer
responsibilities:
• Disclosure of corporate identity and location of head and branch offices for financial
institutions using a trade name;
• Disclosure of applicable regulatory information, such as the identity of the institution's
primary regulator or information on how to contact or file a complaint with the
regulator;
• Conspicuous notices of the inapplicability of FDIC/NCUA insurance to, the potential
risks associated with, and the actual product provider of, the specific investment and
insurance products offered;
Page A-14
E-Banking Booklet
4. If the financial institution electronically delivers consumer disclosures that are required
to be provided in writing, assess the institution's compliance with the E-Sign Act. Review
to determine whether:
• The disclosures:
- Are clear and conspicuous;
- Inform the consumer of any right or option to receive the record in paper or non-
electronic form;
- Inform the consumer of the right to withdraw consent, including any conditions,
consequences, or fees associated with such action;
- Inform consumers of the hardware and software needed to access and retain the
disclosure for their records; and
- Indicate whether the consent applies to only a particular transaction or to identified
categories of records.
• The procedures the consumer uses to affirmatively consent to electronic delivery
reasonably demonstrate the consumer's ability to access/view disclosures.
Page A-15
E-Banking Booklet
EXAMINATION CONCLUSIONS
2. As applicable to your agency, identify risk areas where the institution's risk
management processes are insufficient to mitigate the level of increased risks attributed
to e-banking activities. Consider:
• Transaction/operations risk
• Credit risk
Page A-16
E-Banking Booklet
• Liquidity risk
• Interest rate and price/market risk
• Compliance/legal risk
• Strategic risk
• Reputation risk
• Significant control weaknesses or risks (note the root cause of the deficiency,
consequence of inaction or benefit of action, management corrective action, the time
frame for correction, and the person responsible for corrective action);
• Deviations from safety and soundness principles that may result in financial or
operational deterioration if not addressed; or
• Substantive noncompliance with laws or regulations.
Page A-17
E-Banking Booklet
6. Revise draft e-banking comments to reflect discussions with management and finalize
comments for inclusion in the report of examination.
Objective 1 - Determine the scope for the examination of the institution's e-banking
activities consistent with the nature and complexity of the institution's operations.
• An organization chart of e-banking personnel including the name, title, and phone
number of the e-banking examination contact.
• A list of URLs for all financial institution-affiliated websites.
• A list all e-banking platforms utilized and network diagrams including servers,
routers, firewalls, and supporting system components.
• A list of all e-banking related products and services including transaction volume
data on each if it is available.
• A description of any changes in e-banking activities or future e-banking plans since
the last exam.
• Diagrams illustrating the e-banking transaction workflow.
• Copies of recent monitoring reports that illustrate trends and experiences with
intrusion attempts, successful intrusions, fraud losses, service disruptions, customer
complaint volumes, and complaint resolution statistics.
• Copies of findings from, and management/board responses to, the following:
- Internal and external audit reports (including third-party reviews on service
providers and testing of the information security program),
- Annual tests of the written information security program as required by GLBA,
Page A-18
E-Banking Booklet
- Vulnerability assessments,
- Penetration tests, and
- Other independent security tests or e-banking risk reviews
Objective 3 - Determine the quality of the institution's risk management over outsourced
technology services.
Page A-19
E-Banking Booklet
• A list of security software tools employed by the institution including product name,
vendor name, and version number for filtering routers, firewalls, network-based
intrusion detection software (IDS), host-based IDS, and event correlation analysis
software (illustrate placement on network diagram);
• Policies related to identification and patching of new vulnerabilities; and
• Descriptions of router access control rules, firewall rules, and IDS event detection
and response rules including the corresponding logs.
Page A-20
E-Banking Booklet
Page A-21
E-Banking Booklet
Appendix B: Glossary
Digital certificate - The electronic equivalent of an ID card that authenticates the
originator of a digital signature.
Direct data feed - A process used by information aggregators to gather information
directly from a website operator rather than copying it from a displayed webpage.
E-Banking - The remote delivery of new and traditional banking products and services
through electronic delivery channels.
E-mail server - A computer that manages e-mail traffic.
Encryption - A data security technique used to protect information from unauthorized
inspection or alteration. Information is encoded so that data appears as a meaningless
string of letters and symbols during delivery or transmission. Upon receipt, the
information is decoded using an encryption key.
Firewall - A hardware or software link in a network that relays only data packets clearly
intended and authorized to reach the other side.
Framing - A frame is an area of a webpage that scrolls independently of the rest of the
webpage. Framing generally refers to the use of a standard frame containing information
(like company name and navigation bars) that remains on the screen while the user
moves around the text in another frame.
Gateway server - A computer (server) that connects a private network to the private
network of a servicer or other business.
Hacker - An individual who attempts to break into a computer without authorization.
Hardening - The process of securing a computer's administrative functions or inactivating
those features not needed for the computer's intended business purpose.
Hash Totals - A numerical summation of one or more corresponding fields of a file that
would not ordinarily be summed. Typically used to detect when changes in electronic
information have occurred.
Hosting - See "Website Hosting".
Hyperlink - An item on a webpage that, when selected, transfers the user directly to
another location in a hypertext document or to another webpage, perhaps on a different
machine. Also simply called a "link."
Hypertext Markup Language (HTML) - A set of codes that can be inserted into text files
to indicate special typefaces, inserted images, and links to other hypertext documents.
Interface - Computer programs that translate information from one system or application
into a format required for use by another system or application.
Internet - The global system of interconnected computer networks that use the Internet
protocol suite (TCP/IP) to link billions of devices worldwide.
Internet service provider (ISP) - A company that provides its customers with access to
Page B-1
E-Banking Booklet
Page B-2
E-Banking Booklet
websites, improve performance by storing webpages locally, and hide the internal
network's identity so monitoring is difficult for external users.
Public key - See "PKI".
Repudiation - The denial by one of the parties to a transaction of participation in all or
part of that transaction or of the content of the communication.
Router - A hardware device that connects two or more networks and routes incoming
data packets to the appropriate network.
Script - A file containing active content; for example, commands or instructions to be
executed by the computer.
Secure Socket Layer (SSL) - A protocol that is used to transmit private documents
through the Internet.
Server - A computer or other device that manages a network service. An example is a
print server, which is a device that manages network printing.
Smart cards - A card with an embedded computer chip on which information can be
stored and processed.
Sreen scraping - A process used by information aggregators to gather information from a
customer's website, whereby the aggregator accesses the target site by logging in as the
customer, electronically reads and copies selected information from the displayed
webpage(s), then redisplays the information on the aggregator's site. The process is
analogous to "scraping" the information off the computer screen.
Suspicious activity report (SAR) - Reports required to be filed by the Bank Secrecy Act
when a financial institution identifies or suspects fraudulent activity.
Token - A small device with an embedded computer chip that can be used to store and
transmit electronic information. A soft token is a software-based token.
Topology - See "Network diagram".
Uniform Resource Locator (URL) - Abbreviation for "Uniform (or Universal) Resource
Locator." A way of specifying the location of publicly available information on the
Internet, in the form: protocol://machine:port number/filename. Often the port number
and/or filename are unnecessary.
Virtual Mall - An Internet website offering products and services from multiple vendors or
suppliers.
Virtual private network (VPN) - A computer network that uses public telecommunication
infrastructure, such as the Internet, to provide remote offices or individual users with
secure access to their organization's network.
Virus - Malicious code that replicates itself within a computer.
Weblinking - The use of hyperlinks to direct users to webpages of other entities.
Website - A webpage or set of webpages designed, presented, and linked together to
form a logical information resource and/or transaction initiation function.
Website hosting - The service of providing ongoing support and monitoring of an
Page B-3
E-Banking Booklet
Page B-4
E-Banking Booklet
Page C-1
E-Banking Booklet
2000)
• SR Letter 99-08: Uniform Rating System for Information Technology (March 31,
1999)
• SR Letter 98-14: Interagency Policy Statement on Branch Names (June 3, 1998)
• SR Letter 98-09: Assessment of Information Technology in the Risk-Focused
Frameworks for the Supervision of Community Banks and Large Complex Banking
Organizations (April 20, 1998)
• SR Letter 97-32: Sound Practices Guidance for Information Security for Networks
(December 4, 1997)
• SR Letter 97-28: Guidance Concerning the Reporting of Computer-Related Crimes
by Financial Institutions (November 6, 1997)
Page C-2
E-Banking Booklet
• FIL-68-99: Risk Assessment Tools And Practices For Information System Security
(July 7, 1999)
• FIL-49-99: Bank Service Company Act (June 3, 1999)
• FIL-98-98: Pretext Phone Calling (September 2, 1998)
• FIL-86-98: Electronic Commerce and Consumer Privacy (August 17, 1998)
• FIL-79-98: Electronic Financial Services and Consumer Compliance (July 16, 1998)
• FIL-46-98: Guidance on the Use of Trade Names (May 1, 1998)
• FIL-131-97: Security Risks Associated with the Internet (December 18, 1997)
• FIL-124-97: Suspicious Activity Reporting (December 5, 1997)
• FIL-14-97: Electronic Banking Examination Procedures (February 26, 1997)
• FIL-59-96: Stored Value Cards and Other Electronic Payment Systems (August 6,
1996)
Page C-3
E-Banking Booklet
Page C-4
E-Banking Booklet
Page C-5
E-Banking Booklet
Page C-6
E-Banking Booklet
RISK IMPLICATIONS
Financial institutions engaged in aggregation services assume an increased level of risk
and must institute compensating risk management practices.
Transaction/operations risk - The highly sensitive nature of the information collected and
stored by aggregators greatly increases the risk associated with aggregation services.
The aggregator's ability to protect stored customer IDs and passwords and to provide
accurate and timely delivery of information from the customer's accounts is the most
significant factor in assessing the level of operations risk in aggregation services.
Strategic risk - Strategic risk is the second highest exposure in aggregation services.
This is due not only to the relatively unproven success of this service, but also to the fact
that the applicability of legal and compliance requirements to the service have yet to be
fully defined.
Reputation risk - Reputation risk is another significant consideration in aggregation
services. However, in most instances it is a second-tier issue (i.e., potential damage to
the institution's reputation stemming from operational or legal risk issues discussed
above).
RISK MANAGEMENT
Risk management of aggregation services is based on the same concepts that apply to
other financial services (i.e. risk identification, measurement, monitoring and control).
Some of the unique concerns financial institutions should consider in managing
aggregation risks are discussed below.
Page D-1
E-Banking Booklet
Typically, a financial institution provides an aggregation service under its brand name
through a third-party service provider. That service provider serves as a prime
contractor, specializing in gathering, storing, protecting, and presenting information to the
customer. The third-party service provider, in turn, may outsource some of its features,
such as bill payment, to other specialists. The institution or third-party service provider
also may provide or outsource software that analyzes customer behavior and suggests
financial products for that customer. Aggregated financial information often comes from
other websites, the owners of which may not be aware that they are providing content
and thus lack contracts or agreements with the aggregating institution or service
provider.
Because aggregation is at an early stage of development and customer acceptance is
low, institutions should consider how evolving standards and customer acceptance for
aggregation services may affect e-banking strategies. Further, reliance on third-party
service providers introduces strategic risks that institutions should consider. For
example, some third-party service providers may be financially unstable or unable to
provide reliable service. Others may develop or market services in ways that are
incompatible with the institution's goals. Further, some arrangements, such as co-
branding, may make it more difficult to change providers, if problems arise.
The viability of aggregation services depends heavily on meeting customer expectations,
including availability, confidentiality, data integrity, and overall service quality. Moreover,
as customer acceptance grows, customers are likely to expect aggregator institutions to
innovate and provide additional services. Failure to meet customer expectations
(whether provided by the institution or a third-party provider) can undermine customer
confidence and trust. This could hinder the institution's ability to retain existing customers
and to offer other e-banking products and services in the future.
TRANSACTION SECURITY
Aggregation relies on data transmission from various websites through the aggregator's
website to the end-customer's Internet browser. If the integrity of the data is
compromised or if the data is not current, the customer could receive erroneous or dated
information, which could adversely affect customer decisions. Timely and correct
information is especially important in environments where purchases, sales, and asset
transfers take place.
Information security is critical because aggregators centralize the storage of usernames
and passwords that provide access to other websites, as well as personally identifiable
customer information from many other websites. A security breach could compromise
numerous customer accounts. Because sensitive information is centralized, attackers
may be more likely to target the aggregator's systems. A financial institution acting as an
aggregator should carefully consider its potential liabilities and assess whether it and its
third-party providers have adequate security.
Inadequate authentication measures may expose aggregator institutions to liability if
these measures weaken the security of other websites. Because both the aggregator
and the customer typically enter the target website using the same username and
password, the target Website may not be able to identify the true system user (i.e.,
customer or aggregator), diminishing the effectiveness of the target's access controls
and record keeping. Additionally, entry to the target website may be gained automatically
at the aggregator's website, effectively bypassing some of the target website's
Page D-2
E-Banking Booklet
DATA GATHERING
Aggregators typically collect data from target websites by one of two means: screen
scraping or direct data feeds. Screen scraping involves copying information from a target
webpage accessed using the customer's previously provided password and PIN. Such
activity may occur without the consent or knowledge of the target website. Direct data
feeds involve the cooperative exchange of information between the target website and
the aggregator. Data-feed arrangements frequently reduce transaction risk by
implementing technologies that are more reliable and traceable than other data-
gathering techniques.
In some cases, aggregators may be blocked from gaining access to information from
target websites. For example, target websites may change the location of information on
a webpage or change passwords. Additionally, the target websites may have data
integrity problems that they report on their webpage. This information may not be
captured by the aggregator's information collection mechanisms and reported to the
institution's customers. Such situations may result in failing to meet customer
expectations and may result in inaccurate or incomplete information. Another challenge
facing aggregators is the interpretation and accurate presentation of the data gathered
from other websites. For example, aggregators may discover similarly named data
elements have different definitions. An incorrect presentation of data could result in
customer confusion and incorrect decisions.
Regulation E
In aggregating customer information, institutions should closely monitor regulatory
changes in the application of Regulation E. Currently, Regulation E, which implements
the Electronic Fund Transfer Act, does not specifically address the responsibilities of
aggregators. The Federal Reserve Board requested comments on this issue in June
2000. A final regulation had not been issued at the time of this booklet's issuance. In the
absence of guidance, institution management should be conservative when interpreting
possible Regulation E compliance obligations in connection with aggregation services.
Aggregators that provide electronic fund transfer services could come within the current
coverage of Regulation E in the following ways.
Page D-3
E-Banking Booklet
Institutions and aggregation service providers should also consider the possibility that
providing customers with an automatic log-on feature to conduct electronic fund transfers
on other entities' websites could trigger the application of Regulation E if such automatic
log-on features could be considered, in essence, an access device for electronic fund
transfer services.
Asset Management
Asset management encompasses a broad range of activities, such as trust and fiduciary
services, retail brokerage, and financial planning, where investment advice is provided
for a fee or commission. In particular, institutions aggregating clients' account information
should ensure compliance with the Bank Secrecy Act. Depending on the nature of the
services provided in connection with aggregation of account information, financial
institutions should also comply with the Employee Retirement Income Security Act of
1974 (ERISA), and other applicable laws, regulations, and policies. Banks should also
comply with applicable fiduciary standards imposed pursuant to 12 CFR Part 9 and
savings associations should also comply with 12 CFR part 550.
In addition to aggregating account information, aggregator institutions may provide links
to affiliated and unaffiliated third-party websites that allow consumers to buy securities
and insurance products directly. In these instances, institutions should clearly distinguish
on their websites between products and services that are offered by the institution and
those offered by third parties. In general, the institution should use clear and
conspicuous language to explain their role and responsibility for products and services
offered on any third-party webpages. For institution webpages that provide links to third-
party pages that enable institution customers to open accounts or initiate transactions for
non-deposit investment products, the disclosures also should alert customers to risks
associated with those products (e.g., by stating that the products are not insured by the
FDIC, are not a deposit, and may lose value).
Privacy
Institutions that provide aggregation services should be aware of various legal provisions
protecting the confidentiality of consumer information that affect aggregation activities.
Institutions are strongly advised to evaluate the privacy provisions of GLBA and
requirements of the Fair Credit Reporting Act (FCRA) regarding the disclosure of
consumer information received in connection with providing aggregation services. In
Page D-4
E-Banking Booklet
particular, a financial institution that provides aggregation services should ensure that its
privacy policy required by GLBA accurately reflects the categories of information that it
collects and discloses in its aggregator role, which may differ from the types of
information that the institution collects and discloses with respect to customers of its own
banking products or services. Institutions also should be aware that a financial institution
may freely disclose to other parties its own transaction or experience information that
bears on consumers' creditworthiness, personal characteristics, or mode of living.
However, the sharing of information-to affiliates or other unrelated third parties-that does
not relate to a financial institution's own transactions and experiences may trigger the
requirements of FCRA.
It is important to note that compliance with one statute will not guarantee compliance
with the other.
RECORD KEEPING
If aggregation services include the initiation of transactions, institution management
should assure aggregation processes are sufficiently robust to address issues relating to
the validity of transactions, such as attribution and non-repudiation. Those processes go
beyond security measures and encompass coordination of record keeping with other
websites. That coordination should be sufficient to enable the tracing of a transaction
from the customer through the institution to the other websites, with reasonable controls
to protect against unauthorized changes to the transaction. Good records can improve a
financial institution's position in the event of disputes. Record keeping requirements
should be based upon the level of activity and risk.
CONTRACTS
Appropriate contracting can mitigate strategic, reputation, transaction, and compliance
risks. Management should seek to control and manage these risks by structuring
arrangements between the institution and the involved parties. Standardized contracts
and the development and use of industry standards can facilitate those arrangements.
Customer Agreements
Contracting will primarily involve the institution, the institution's customer, and the
aggregation technology provider. Customer agreements should specify the scope of the
aggregating institution's authority to use the customers' passwords and other
authenticators on their behalf. Moreover, customers should be advised of the degree of
responsibility the institution assumes for the timeliness or accuracy of the information
obtained from other websites.
The customer contract should provide the basis for realistic expectations about such
matters as data timeliness and completeness, support, and service levels. For instance,
transaction risks relating to data definitions and timing can be controlled by clearly
disclosing when the aggregated information was obtained from the other websites and
any material changes in the definition of data elements. Institutions should consider how
best to direct customers to those customer service areas, whether at the institution,
technology provider, or operator of another website that can most directly and effectively
Page D-5
E-Banking Booklet
help resolve customer issues. Institutions should also be aware that the websites where
information is aggregated might post disclosures that belong with the aggregated
information. Management should consider whether and how to notify their customers of
those disclosures.
Vendor Contracts
The institution's contracts with technology providers should ensure the provided activities
conform to applicable legal and policy standards, and should acknowledge the
institution's regulator's authority to examine and regulate the provided activities
authorized by 12 USC 1867(c) for banks and 12 USC 1464(d)(7) for savings
associations. The contract should clearly disclose and authorize the roles and
responsibilities of the institution and the technology provider. Contracts also should cover
security requirements and reporting, performance reporting, data usage restrictions, data
ownership, indemnification arrangements, data retention policies, business continuation
arrangements, and submission of financial statements.
Page D-6
E-Banking Booklet
Page E-1
E-Banking Booklet
the device's operating system. A key risk-management control point in wireless banking
occurs at the wireless gateway-server where a transaction is converted from a wireless
standard to a secure socket layer (SSL) encryption standard and vice versa. Wireless
network security reviews should focus on how institutions establish, maintain, and test
the security of systems throughout the transmission process, from the wireless device to
the institutions' systems and back again. For example, a known wireless security
vulnerability exists when the Wireless Application Protocol (WAP) transmission
encryption process is used. WAP transmissions deliver content to the wireless gateway-
server where the data is decrypted from WAP encryption and re-encrypted for Internet
delivery. This is often called the "gap-in-WAP" (e.g., wireless transport layer security
(TLS) to Internet-based TLS). This brief instant of decryption increases risk and becomes
an important control point, as the transaction may be viewable in plain text (unless
encryption also occurred in the application layer). The WAP Forum, a group that
oversees WAP protocols and standards, is discussing ways to reduce or eliminate the
gap-in-WAP security risk.
Institutions must ensure effective controls are in place to reduce security vulnerabilities
and protect data being transmitted and stored. Under the GLBA guidelines, institutions
considering implementing wireless services are required to ensure that their information
security program adequately safeguards customer information.
PASSWORD SECURITY
Wireless banking increases the potential for unauthorized use due to the limited
availability of authentication controls on wireless devices and higher likelihood that the
device may be lost or stolen. Authentication solutions for wireless devices are currently
limited to username and password combinations that may be entered and stored in clear
text view (i.e., not viewed as asterisks "****"). This creates the risk that authentication
credentials can be easily observed or recalled from a device's stored memory for
unauthorized use.
Cellular phones also have more challenging methods to enter alphanumeric passwords.
Customers need to depress telephone keys multiple times to have the right character
displayed. This process is complicated if a phone does asterisk password entries, as the
user may not be certain that the correct password is entered. This challenge may result
in users selecting passwords and personal identification numbers that are simple to enter
and easy to guess.
STANDARDS AND INTEROPERABILITY
The wireless device manufacturers and content and application providers are working on
common standards so that device and operating systems function seamlessly.
Standards can play an integral role in providing a uniform entry point to legacy
transaction systems. A standard interface would allow institutions to add and configure
interfaces, such as wireless delivery, without having to modify or re-write core systems.
Interoperability is a critical component of mobile wireless because there are multiple
device formats and communication standards that can vary the users' experience.
WIRELESS VENDORS
Institutions typically rely on third-party providers to develop and deliver wireless banking
applications. Reliance on third parties is often necessary to gain wireless expertise and
to keep up with technology advancements and evolving standards. Third-party providers
of wireless banking applications include existing Internet banking application providers
and as well as new service providers specializing in wireless communications. These
Page E-2
E-Banking Booklet
companies facilitate the transmission of data from the wireless device to the Internet
banking application. Outsourced services may also include managing product and
service delivery to multiple types of devices using multiple communication standards.
Institutions that rely on service providers to provide wireless delivery systems should
ensure that they employ effective risk management practices.
PRODUCT AND SERVICE AVAILABILITY
Wireless communication "dead zones" - geographic locations where users cannot
access wireless systems - expose institutions and service providers to reliability and
availability problems in some parts of the world. For some areas, the communications
dead zones may make wireless banking an unreliable delivery system. Consequently,
some customers may view the institution as responsible for unreliable wireless banking
services provided by third parties. A financial institution's role in delivering wireless
banking includes developing ways to receive and process wireless device requests.
Institutions may find it beneficial to inform wireless banking customers that they may
encounter telecommunication difficulties that will not allow them to use the wireless
banking products and services.
DISCLOSURE AND MESSAGE LIMITATIONS
The screen size of wireless devices and slow communication speeds may limit a
financial institution's ability to deliver meaningful disclosures to customers. However, use
of a wireless delivery system does not absolve a financial institution from disclosure
requirements. Moreover, limitations on the ability of wireless devices to store documents
may affect the institution's consumer compliance disclosure obligations. [1] Additionally,
any institution that opts to rely upon voice recognition technology as a means to
overcome the difficulty of entering data through small wireless devices should be aware
of the uncertain status of voice recognition under the E-SIGN Act. [2]
Wireless banking may expose institutions to liability under the Electronic Fund Transfer
Act (Regulation E) for unauthorized activities if devices are lost or stolen. The risk
exposure is a function of the products, services, and capabilities the institution provides
through wireless devices to its customers. For example, the loss of a wireless device
with a stored access code for conducting electronic fund transfers would be similar to
losing an ATM or debit card with a personal identification number written on it. However,
the risk to the institution may be greater depending on the types of wireless banking
services offered (e.g., bill pay, person-to-person payments) and on the authentication
process used to access wireless banking services.
Page E-3